Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
ITmerrr
Advocate I
Advocate I

Options for more Granualar permissions to areas of Fabric Admin Portal

‎05-21-2025 04:17 AM

Currently its not possible to manage access to Fabric via a custom role as Fabric permissions are not supported for custom roles.

 

It would be great to be able to grant granular access to areas in Fabric, currently this is only possible via an App registration/Delegated permissions, but is not possible for areas like 'tenant settings' as the API permissions for this is 'Tenant.ReadWrite.All' grants access to more areas than required.

 

 

 

 

Labels:
Message 1 of 10
601 Views
0
2 ACCEPTED SOLUTIONS
rohit1991
Super User
Super User

‎05-21-2025 08:59 AM

Hi @ITmerrr ,

You've raised an important point. Currently, the limitation around custom roles not supporting Fabric-specific permissions does make it challenging to manage granular access—especially when dealing with sensitive areas like tenant settings. While there are some built-in layers of security in Fabric, such as workspace roles, item-level permissions, and OneLake data access controls, these do not fully address the need for fine-tuned administrative access.

 

As you mentioned, using delegated permissions via app registrations can help in some scenarios, but broader permissions like 'Tenant.ReadWrite.All' often grant more access than is necessary or desirable. This gap makes it difficult to follow the principle of least privilege. It would certainly be beneficial if Microsoft introduced more refined role-based access controls or scoped API permissions that target specific areas of the Fabric Admin Portal. Submitting this as feedback through the Microsoft Fabric Ideas portal might help bring more attention to the need for better administrative granularity.

 

Passionate about leveraging data analytics to drive strategic decision-making and foster business growth.

Connect with me on LinkedIn: Rohit Kumar.


Did it work? ✔ Give a Kudo • Mark as Solution – help others too!

View solution in original post

Message 3 of 10
548 Views
v-csrikanth
Community Support
Community Support

‎05-23-2025 01:27 AM

Hi @ITmerrr 

Hello and a big thank you for taking the initiative to raise this idea in the Fabric Community! Your proactive contribution not only highlights important enhancements but also drives our product forward. I’ve just upvoted your suggestion and encourage others to do the same—your voice truly makes a difference.

If there’s anything more I can help with, just let me know!


Best Regards,
Community Support Team _ C Srikanth.

 

View solution in original post

Message 9 of 10
442 Views
9 REPLIES 9
v-csrikanth
Community Support
Community Support

‎05-28-2025 02:42 AM

Hi @ITmerrr 
I hope you have already rasie in the ideas forum.

If you are still facing any new issues related to Fabric and PowerBI forum do reach out to us in the community else can you mark the post as resolved. 

Looking forward to your reply!


Best Regards,
Community Support Team _ C Srikanth.



Message 10 of 10
373 Views
v-csrikanth
Community Support
Community Support

‎05-23-2025 01:27 AM

Hi @ITmerrr 

Hello and a big thank you for taking the initiative to raise this idea in the Fabric Community! Your proactive contribution not only highlights important enhancements but also drives our product forward. I’ve just upvoted your suggestion and encourage others to do the same—your voice truly makes a difference.

If there’s anything more I can help with, just let me know!


Best Regards,
Community Support Team _ C Srikanth.

 

Message 9 of 10
443 Views
ITmerrr
Advocate I
Advocate I

‎05-22-2025 08:48 AM

In light of the limitations mentioned I have raised a Idea on the portal.

 

https://community.fabric.microsoft.com/t5/Fabric-Ideas/Options-for-more-Granualar-permissions-to-are...

 

Please upvote 😊

Message 8 of 10
492 Views
0
GilbertQ
Super User
Super User

‎05-21-2025 03:43 PM

Hi @ITmerrr 

 

You could look at using the new domain delegation settings available in the tenant settings here or more details. Domains - Microsoft Fabric | Microsoft Learn





Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 6 of 10
510 Views
ITmerrr
Advocate I
Advocate I
In response to GilbertQ

‎05-22-2025 08:41 AM

Hi thank you for your reply.

 

I have taken a look at the options available and unfortunately this doesnt allign with the requirements to assign access/permissions to areas of admin portal as noted.

 

Any other suggestions would be greatly appreciatted!  

 

Currently this feels like a limitation for most the areas listed in my reply below:

 

Areas to provide access:

-Tenant Settings (the only app permission provides to much access ('Tenant.ReadWrite.All' ))

-Usage Metrics

-Users

-Premier Per User

-Audit logs

-Workloads ( api permissions grants access to all )

-workspaces

 

Whilst not providing access to the rest of the admin portal.

 

Message 7 of 10
495 Views
0
ITmerrr
Advocate I
Advocate I

‎05-21-2025 09:49 AM

Thank you for your response, very much appreciated! 

 

I agree there is some level of granular permissions within PowerBi as you noted.

 

The requirement would be to provide access to the below areas whilst not providing access to the other areas in the Admin portal:

 

Areas to provide access:

-Tenant Settings (the only app permission provides to much access ('Tenant.ReadWrite.All' ))

-Usage Metrics

-Users

-Premier Per User

-Audit logs

-Workloads ( api permissions grants access to all )

-workspaces

 

Whilst not providing access to the rest of the admin portal.

 

 

Its not possible via custom roles as previouslt described, and via API permissions they are not granualar enough, for example ( 'Tenant.ReadWrite.All' for tenant settings )

 

There is granular permissions in Fabric however to get access to all the required areas would mean granting Fabric admin which also grants access to areas that the users should not get access.

 

Ideally we need a way to more granually assign API permissions or enable the use of custom roles for Fabric.

 

Hopefully this makes more sense, any questions please let me know.

 

Message 5 of 10
534 Views
0
rohit1991
Super User
Super User

‎05-21-2025 08:59 AM

Hi @ITmerrr ,

You've raised an important point. Currently, the limitation around custom roles not supporting Fabric-specific permissions does make it challenging to manage granular access—especially when dealing with sensitive areas like tenant settings. While there are some built-in layers of security in Fabric, such as workspace roles, item-level permissions, and OneLake data access controls, these do not fully address the need for fine-tuned administrative access.

 

As you mentioned, using delegated permissions via app registrations can help in some scenarios, but broader permissions like 'Tenant.ReadWrite.All' often grant more access than is necessary or desirable. This gap makes it difficult to follow the principle of least privilege. It would certainly be beneficial if Microsoft introduced more refined role-based access controls or scoped API permissions that target specific areas of the Fabric Admin Portal. Submitting this as feedback through the Microsoft Fabric Ideas portal might help bring more attention to the need for better administrative granularity.

 

Passionate about leveraging data analytics to drive strategic decision-making and foster business growth.

Connect with me on LinkedIn: Rohit Kumar.


Did it work? ✔ Give a Kudo • Mark as Solution – help others too!
Message 3 of 10
549 Views
ITmerrr
Advocate I
Advocate I
In response to rohit1991

‎05-22-2025 08:49 AM

Thank you for replying.

 

I have now raised a idea link on the portal, please upvote 😊

 

https://community.fabric.microsoft.com/t5/Fabric-Ideas/Options-for-more-Granualar-permissions-to-are...

Message 4 of 10
492 Views
ibarrau
Super User
Super User

‎05-21-2025 07:30 AM

Hi. There are granular permission. I'm not sure what you are asking here.

Fabric has three security levels and they're evaluated sequentially to determine whether a user has data access. The order of evaluation for access is:

  1. Microsoft Entra ID authentication: checks if the user can authenticate to the Azure identity and access management service, Microsoft Entra ID.
  2. Fabric access: checks if the user can access Fabric.
  3. Data security: checks if the user can perform the action they've requested on a table or file.

The third level, data security, has several building blocks that can be configured individually or together to align with different access requirements. The primary access controls in Fabric are:

  • Workspace roles
  • Item permissions
  • Compute or granular permissions
  • OneLake data access controls (preview)

If this doesn't cover your requirement, please add details on what you need to accomplish so we can check if it's possible.

I hope that helps,


If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Happy to help!

LaDataWeb Blog

Message 2 of 10
560 Views

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All